I’m planning to create a new website with a single-page application. While trying out Kirby API, I noticed that the current API endpoints don’t really serve the purpose of my SPA. It’s not a big deal, I can just create my own endpoints.
The idea is to have registered & logged-in users to be able to access the SPA. Let’s call them Basic Users. Registration, sign-in, and all basic user account activities will be carried out in the front-end, so they need not and should not access the panel. But to enable the API for the SPA, I need to allow panel access for them:
title: Basic User default: true # Basic user needs to access panel for the Rest API, but nothing else permissions: access: *: false panel: true pages: false files: false languages: false site: false user: false users: false
However, I’m a bit concerned. With the above permissions, a basic user…
- is still able to access the panel and see their own settings page. While the permissions seem to prevent the user from doing any harm, it’s a bit awkward.
- can still send a GET request to
/api/usersand receive a list of all other users, effectively receiving a list of email addresses registered to the service, which of course is a big no.
I’m not sure if the latter one is a bug. But in any case, at this point, I’d rather hear if there is a way to disable the default endpoints completely for Basic users, or other ideas on how to reinforce the API security.